From: Nick Porter Date: Tue, 13 Feb 2024 11:07:07 +0000 (+0000) Subject: Add basic tests of mschap module X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b9519dfe52cb346eba6fb7c62c58f8d60984fa2;p=thirdparty%2Ffreeradius-server.git Add basic tests of mschap module --- diff --git a/scripts/ci/samba-setup.sh b/scripts/ci/samba-setup.sh index 362ba98a61c..c671abb0f42 100755 --- a/scripts/ci/samba-setup.sh +++ b/scripts/ci/samba-setup.sh @@ -44,8 +44,8 @@ if ! grep -q "nameserver 127.0.0.1" /etc/resolv.conf; then grep "^nameserver" /etc/resolv.conf.tmp | sudo tee -a /etc/resolv.conf fi -# Allow non TLS LDAP connections to Samba -sudo sed -i 's/\[global\]/\[global\]\n\tldap server require strong auth = no/' /etc/samba/smb.conf +# Allow non TLS LDAP connections to Samba and NTLM for MSCHAP auth +sudo sed -i 's/\[global\]/\[global\]\n\tldap server require strong auth = no\n\tntlm auth = yes/' /etc/samba/smb.conf # Create user for testing winbind auth sudo /usr/bin/samba-tool user create aduser secret_123 diff --git a/src/tests/modules/mschap/all.mk b/src/tests/modules/mschap/all.mk new file mode 100644 index 00000000000..c9832c2bb48 --- /dev/null +++ b/src/tests/modules/mschap/all.mk @@ -0,0 +1,6 @@ +# +# Test the "mschap" module +# + +# Don't test mschap if MSCHAP_TEST_SERVER ENV is not set - this indicates winbind is available +mschap_require_test_server := 1 diff --git a/src/tests/modules/mschap/auth.attrs b/src/tests/modules/mschap/auth.attrs new file mode 100644 index 00000000000..3080aa6fd7a --- /dev/null +++ b/src/tests/modules/mschap/auth.attrs @@ -0,0 +1,16 @@ +# +# Input Packet +# +Packet-Type = Access-Request +User-Name = "john" +NAS-IP-Address = 127.0.0.1 +Vendor-Specific.Microsoft.CHAP-Response = 0x000100000000000000000000000000000000000000000000000016c32819add27b3d29f6866506e6cc6548f50b6429518579 +Vendor-Specific.Microsoft.CHAP-Challenge = 0x696bcaff8f8bef29 + +# +# Expected answer +# +Packet-Type == Access-Accept +Vendor-Specific.Microsoft.MPPE-Encryption-Policy == Encryption-Allowed +Vendor-Specific.Microsoft.MPPE-Encryption-Types == RC4-40or128-bit-Allowed + diff --git a/src/tests/modules/mschap/auth.unlang b/src/tests/modules/mschap/auth.unlang new file mode 100644 index 00000000000..96c2dc65b62 --- /dev/null +++ b/src/tests/modules/mschap/auth.unlang @@ -0,0 +1,18 @@ +&control.Password.Cleartext := "supersecret" + +mschap + +if !(&control.Auth-Type == mschap) { + test_fail +} + +mschap.authenticate + +if !(&reply.Vendor-Specific.Microsoft.CHAP-MPPE-Keys) { + test_fail +} + +&reply -= &Vendor-Specific.Microsoft.CHAP-MPPE-Keys + +test_pass + diff --git a/src/tests/modules/mschap/auth_winbind.attrs b/src/tests/modules/mschap/auth_winbind.attrs new file mode 100644 index 00000000000..2d792eca57c --- /dev/null +++ b/src/tests/modules/mschap/auth_winbind.attrs @@ -0,0 +1,14 @@ +# +# Input Packet +# +Packet-Type = Access-Request +User-Name = 'EXAMPLE\aduser' +NAS-IP-Address = 127.0.0.1 +Vendor-Specific.Microsoft.CHAP-Response = 0x0001000000000000000000000000000000000000000000000000553aa92b9b20dba13953035b7ca0a8f6eb198ea6076f8b2a +Vendor-Specific.Microsoft.CHAP-Challenge = 0xe2d04a33fec38c11 + +# +# Expected answer +# +Packet-Type == Access-Accept + diff --git a/src/tests/modules/mschap/auth_winbind.unlang b/src/tests/modules/mschap/auth_winbind.unlang new file mode 100644 index 00000000000..99fbac67f2b --- /dev/null +++ b/src/tests/modules/mschap/auth_winbind.unlang @@ -0,0 +1,28 @@ +&control.Password.Cleartext := 'secret_123' + +mschap_winbind + +if !(&control.Auth-Type == mschap_winbind) { + test_fail +} + +mschap_winbind.authenticate { + reject = 1 +} + +# +# Depending on host permissions, we may not be able to talk to winbind +# Handle false failures +# +if (&Module-Failure-Message[*] == 'mschap_winbind: Unable to contact winbind!') { + test_pass + return +} + +if !(&reply.Vendor-Specific.Microsoft.CHAP-MPPE-Keys) { + test_fail +} + +&reply := {} + +test_pass diff --git a/src/tests/modules/mschap/authenticate.conf b/src/tests/modules/mschap/authenticate.conf new file mode 100644 index 00000000000..1f6a6c10a7e --- /dev/null +++ b/src/tests/modules/mschap/authenticate.conf @@ -0,0 +1,7 @@ +authenticate mschap { + mschap +} + +authenticate mschap_winbind { + mschap +} diff --git a/src/tests/modules/mschap/module.conf b/src/tests/modules/mschap/module.conf new file mode 100644 index 00000000000..f972a90e7b4 --- /dev/null +++ b/src/tests/modules/mschap/module.conf @@ -0,0 +1,40 @@ +mschap { + + attributes { + username = &User-Name + chap_challenge = &Vendor-Specific.Microsoft.CHAP-Challenge + chap_response = &Vendor-Specific.Microsoft.CHAP-Response + chap2_response = &Vendor-Specific.Microsoft.CHAP2-Response + chap2_success = &Vendor-Specific.Microsoft.CHAP2-Success + chap_error = &Vendor-Specific.Microsoft.CHAP-Error + chap_mppe_keys = &Vendor-Specific.Microsoft.CHAP-MPPE-Keys + mppe_recv_key = &Vendor-Specific.Microsoft.MPPE-Recv-Key + mppe_send_key = &Vendor-Specific.Microsoft.MPPE-Send-Key + mppe_encryption_policy = &Vendor-Specific.Microsoft.MPPE-Encryption-Policy + mppe_encryption_types = &Vendor-Specific.Microsoft.MPPE-Encryption-Types + chap2_cpw = &Vendor-Specific.Microsoft.CHAP2-CPW + } +} + +mschap mschap_winbind { + winbind { + username = %mschap(User-Name) + domain = %mschap(Domain-Name) + } + attributes { + username = &User-Name + chap_challenge = &Vendor-Specific.Microsoft.CHAP-Challenge + chap_response = &Vendor-Specific.Microsoft.CHAP-Response + chap2_response = &Vendor-Specific.Microsoft.CHAP2-Response + chap2_success = &Vendor-Specific.Microsoft.CHAP2-Success + chap_error = &Vendor-Specific.Microsoft.CHAP-Error + chap_mppe_keys = &Vendor-Specific.Microsoft.CHAP-MPPE-Keys + mppe_recv_key = &Vendor-Specific.Microsoft.MPPE-Recv-Key + mppe_send_key = &Vendor-Specific.Microsoft.MPPE-Send-Key + mppe_encryption_policy = &Vendor-Specific.Microsoft.MPPE-Encryption-Policy + mppe_encryption_types = &Vendor-Specific.Microsoft.MPPE-Encryption-Types + chap2_cpw = &Vendor-Specific.Microsoft.CHAP2-CPW + } + +} +